Rainbow tables are not some kind fun game for children, nor are they colorful pieces of furniture Instead they are just one tool in a hackers tool box and they are a threat to your passwords. But that’s as far as my knowledge went, so I decided to do some research to find out more.
A rainbow table is basically a large dictionary of pre-computed hashed passwords alongside the actual plaintext passwords from which the hashes were generated. As a result, rainbow tables provide a very efficient way of to look-up stolen hashed passwords and therefore obtain the actual password which they were hashed from.
The basic gist behind rainbow tables
Say for example there was a vulnerability on a website (like a SQL injection vulnerability for example) that when exploited by a hacker, leaked the entire contents of the website’s user database. Well, all those usernames and passwords wouldn’t be immediately useful because chances are that the passwords are hashed (see below) or encrypted.
So what are the options? Well, the hacker could either attempt to crack the passwords using a brute-force password cracking program such as John the Ripper. Programs like this will attempt to guess each password by trying every possible combination of that password. There are various types of brute force attacks including credential recycling (trying usernames and passwords from previous attacks), reverse brute force attacks (knowing the password but not the username) and dictionary attacks where all the words in a dictionary are tested to find a password.
The trouble is, this is very inefficient and could take a long time (weeks, months or even years) depending on the length and complexity of the passwords in there. That’s where rainbow tables come in.
Rainbow tables
You can think of rainbow tables as a huge spreadsheet filled with a bunch of hashed passwords in one column and plaintext versions of each of those passwords in another column adjacent to the hashes.
So essentially, these tables enable hackers to determine what the plaintext version of a password is for a given hash without the hacker having to know which hashing algorithm was used.
Not only do Rainbow Tables allow the hacker to lookup hashes to determine the plain text password, the hacker don’t always have to know the exact plain text password in order to access a user’s account. This is because, two different passwords may have the same hash, as long as the password that the attacker uses (when hashed) matches the hash stored for that user in the user database.
Because the hashes are pre-computed, passwords can be cracked in a very short space of time in comparison to brute-force methods. The only downside is, is that Rainbow Tables can be very large (Gigabytes or Terabytes in size). But storage is cheap these days compared to the prices say a decade ago for instance.
So we’ve talked about hashed passwords, but let’s look into a little more detail in terms of what that actually means.
What is a hashed password?
A hashed password is basically a plaintext password such as “password123” which has been scrambled and generally looks like gibberish. The hash could look something like sdofusdfusyf8syfushf87s8dfA but your actual password could be ilikecomplexandsecurepasswords34934. A hash is therefore a secure way of representing data as a unique string of characters, it is typically a different length than the original password and is derived using a combination of the password, a salt (if used) and the algorithm itself.
Once a password has been hashed, it cannot be reversed, so it’s impossible to turn the hashed value into its original password. There is no private key available like those used in encryption algorithms, so you can’t decode a hash to retrieve the original plain text password.
So how do website’s verify that your password is correct, without storing the actual password? Well, typically the system will take the user’s password that they are attempting to login with, re-compute the hash of that password and compare it with the hash in a database record. If the hashes match, then the user is granted access to their online account.
Is my password secure?
It depends. The advice is to create strong passwords or passphrases (see how to create a secure password) that make it difficult or impossible for a brute-force algorithm to guess your password. However, even if your password is secure, that’s not enough to prevent hackers gaining access to your account if the hashing algorithm used by the website is weak.
There are many algorithms available and some are more secure that others. A few of the most popular ones are:
MD5
MD5 first published in 1992 as a cryptographic hashing algorithm but has now been shown to be insecure and relatively easy to break. It computes 128-bit hash values, which are easy to produce and as such should not be used to hash passwords. MD5 is not completely useless though as it is often used to verify whether a file downloaded from the Internet has been tampered with or not.
SHA1
SHA1 was designed by the NSA in 1993 and published in 1995. Although it is much more secure than MD5, it is still considered insecure because computing power has vastly increased to the point where, alongside sophisticated password cracking methods, it has now possible perform a so-called attack on the hash and produce the actual source password.
SHA2
SHA2 is the successor to SHA1 and designed, yet again, by the NSA and published in 2001. The Secure Hash Algorithm 2 (SHA-2) is a family of hash functions that produce longer hash values with 224, 256, 384 or 512 bits, and are often written as SHA-224, SHA-256, SHA-384 or SHA-512.
Unlike MD5 and SHA1, SHA2 is considered secure and suitable for hashing passwords and as yet, no attack has been demonstrated against it.
So how do you protect against Rainbow Table attacks?
Well, there’s not much users can do apart from staying away from websites that restrict password lengths to a short number of characters, because this is a sign that there are some old and insecure password hashing algorithms being used behind the scenes.
Another tip is to use two-factor authentication where possible. If the hacker does manage to get hold of your password, they would also need access to your mobile phone or your physical two-factor authentication key which you can get from Amazon (#CommissionsEarned)
Other than that, it is the responsibility of software developers and system administrators to prevent against these sort of attacks.
The best policy is to stay away from inscure hashing algorithms such as MDA5 or SHA1. Secondly, a cryptographic “salt” should be used when you are hashing passwords. A “salt” is basically a password that is “added to the mix” when a password is being hashed or encrypted by an algorithm.
Adding a “salt” can make a simple encyption algorithm exponentially harder to crack because each bit of salt used doubles the amount of storage and computation required.